[Full-disclosure] DDIVRT-2008-17 Orb Directory Traversal
DDI_Vulnerability_Alert
DDI.VulnerabilityAlert at ddifrontline.com
Thu Nov 6 19:59:22 GMT 2008
Title
-----
DDIVRT-2008-17 Orb Directory Traversal
Severity
--------
High
Date Discovered
---------------
October, 21st 2008
Discovered By
-------------
Digital Defense, Inc. Vulnerability Research Team
Credit: Steven James and r at b13$
Vulnerability Description
-------------------------
Orb Networks' Orb media server is vulnerable to directory traversal
attacks. Users can leverage specially crafted GET requests to read
arbitrary files.
Solution Description
--------------------
Use firewall rules to restrict access to authorized users of the Orb
server.
This issue is fixed in version 2.01.0022 available at
http://www.orb.com/download/us/setup_2.01.0022.exe
<http://www.orb.com/download/us/setup_2.01.0022.exe>
Tested Systems / Software (with versions)
------------------------------------------
Orb version 2.01.0017 on Windows XP Pro SP2
Nullsoft Winamp Remote Server Beta (featuring Orb version 2.01.0013) on
Windows XP Pro SP2
Vendor Contact
--------------
Orb Networks
Website: http://www.orb.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20081106/8a2600ce/attachment.html
Full-Disclosure is hosted and sponsored by Secunia.